openstack/neutron
Code Issues Proposed changes

Merge "Replace remaining ovsfw constants"

Browse Source
This commit is contained in:
Zuul
2025-02-15 18:34:02 +00:00
committed by Gerrit Code Review
parent a3f3397706 0433d0846e
commit 30f71cca24
5 changed files with 46 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
neutron/agent/linux/openvswitch_firewall/constants.py
View File

@@ -31,11 +31,6 @@ OF_STATE_NOT_REPLY_NOT_NEW = "-new-rpl"
CT_MARK_NORMAL = '0x0'
CT_MARK_INVALID = '0x1'
REG_PORT = 5
REG_NET = 6
# for logging remote group rule
REG_REMOTE_GROUP = 7
PROTOCOLS_WITH_PORTS = (constants.PROTO_NAME_SCTP,
constants.PROTO_NAME_TCP,
constants.PROTO_NAME_UDP)

42
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@@ -21,6 +21,7 @@ import re
import eventlet
import netaddr
from neutron_lib.agent.common import constants as agent_consts
from neutron_lib.callbacks import events as callbacks_events
from neutron_lib.callbacks import registry as callbacks_registry
from neutron_lib.callbacks import resources as callbacks_resources
@@ -67,10 +68,13 @@ def _replace_register(flow_params, register_number, register_value):
def create_reg_numbers(flow_params):
"""Replace reg_(port|net) values with defined register numbers"""
_replace_register(flow_params, ovsfw_consts.REG_PORT, 'reg_port')
_replace_register(flow_params, ovsfw_consts.REG_NET, 'reg_net')
_replace_register(
flow_params, ovsfw_consts.REG_REMOTE_GROUP, 'reg_remote_group')
flow_params, agent_consts.REG_PORT, agent_consts.PORT_REG_NAME)
_replace_register(
flow_params, agent_consts.REG_NET, agent_consts.NET_REG_NAME)
_replace_register(
flow_params, agent_consts.REG_REMOTE_GROUP,
agent_consts.REMOTE_GROUP_REG_NAME)
def get_segmentation_id_from_other_config(bridge, port_name):
@@ -910,10 +914,10 @@ class OVSFirewallDriver(firewall.FirewallDriver):
actions = ('set_field:{:d}->reg{:d},'
'set_field:{:d}->reg{:d},').format(
ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
# This always needs the local vlan.
local_vlan,
ovsfw_consts.REG_NET)
agent_consts.REG_NET)
if network_type == lib_const.TYPE_VLAN:
actions += 'strip_vlan,resubmit(,{:d})'.format(
ovs_consts.BASE_INGRESS_TABLE)
@@ -962,9 +966,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
'set_field:{:d}->reg{:d},'
'resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.BASE_EGRESS_TABLE)
)
@@ -984,9 +988,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
'set_field:{:d}->reg{:d},'
'strip_vlan,resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.BASE_INGRESS_TABLE),
)
@@ -1051,9 +1055,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
'set_field:%d->reg%d,'
'resubmit(,%d)' % (
ovs_port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.ACCEPT_OR_INGRESS_TABLE)
)
self._add_flow(
@@ -1131,7 +1135,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
nw_src=ip_addr,
actions='ct(table={:d},zone=NXM_NX_REG{:d}[0..15])'.format(
ovs_consts.RULES_EGRESS_TABLE,
ovsfw_consts.REG_NET)
agent_consts.REG_NET)
)
# Apply mac/ip pairs for IPv6
@@ -1149,7 +1153,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ipv6_src=ip_addr,
actions='ct(table={:d},zone=NXM_NX_REG{:d}[0..15])'.format(
ovs_consts.RULES_EGRESS_TABLE,
ovsfw_consts.REG_NET)
agent_consts.REG_NET)
)
# DHCP discovery
@@ -1237,7 +1241,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
reg_net=port.vlan_tag,
actions='set_field:{:d}->reg{:d},resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
ovs_consts.BASE_INGRESS_TABLE),
)
for ethertype in [lib_const.ETHERTYPE_IP, lib_const.ETHERTYPE_IPV6]:
@@ -1249,7 +1253,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),'
'resubmit(,{:d})'.format(
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
)
self._add_flow(
@@ -1392,7 +1396,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=ovsfw_consts.OF_STATE_ESTABLISHED,
actions="ct(commit,zone=NXM_NX_REG{:d}[0..15],"
"exec(set_field:{:s}->ct_mark))".format(
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovsfw_consts.CT_MARK_INVALID)
)
@@ -1459,7 +1463,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=ovsfw_consts.OF_STATE_NOT_TRACKED,
actions='ct(table={:d},zone=NXM_NX_REG{:d}[0..15])'.format(
ovs_consts.RULES_INGRESS_TABLE,
ovsfw_consts.REG_NET)
agent_consts.REG_NET)
)
self._add_flow(
table=ovs_consts.BASE_INGRESS_TABLE,
@@ -1527,7 +1531,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=ovsfw_consts.OF_STATE_ESTABLISHED,
actions="ct(commit,zone=NXM_NX_REG{:d}[0..15],"
"exec(set_field:{:s}->ct_mark))".format(
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovsfw_consts.CT_MARK_INVALID)
)
@@ -1597,7 +1601,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
port, conj_id, direction, ethertype):
flow['actions'] = "set_field:{:d}->reg{:d},{:s}".format(
flow['conj_id'],
ovsfw_consts.REG_REMOTE_GROUP,
agent_consts.REG_REMOTE_GROUP,
flow['actions']
)
self._add_flow(**flow)

9
neutron/agent/linux/openvswitch_firewall/rules.py
View File

@@ -16,6 +16,7 @@
import collections
import netaddr
from neutron_lib.agent.common import constants as agent_consts
from neutron_lib import constants as n_consts
from neutron_lib.plugins.ml2 import ovs_constants as ovs_consts
@@ -188,7 +189,7 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):
flow_template = {
'priority': 70 + flow_priority_offset(rule, conjunction),
'dl_type': ovsfw_consts.ethertype_to_dl_type_map[ethertype],
'reg_port': port.ofport,
agent_consts.PORT_REG_NAME: port.ofport,
}
if is_valid_prefix(dst_ip_prefix):
@@ -312,7 +313,7 @@ def create_flows_for_ip_address_and_mac(ip_address, mac_address, direction,
flow_template = {
'dl_type': ovsfw_consts.ethertype_to_dl_type_map[ethertype],
'reg_net': vlan_tag, # needed for project separation
agent_consts.NET_REG_NAME: vlan_tag, # needed for project separation
}
ip_ver = utils.get_ip_version(ip_prefix)
@@ -348,7 +349,7 @@ def create_accept_flows(flow):
flow['actions'] = (
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
'resubmit(,{:d})'.format(
ovsfw_consts.REG_NET, flow['actions'],
agent_consts.REG_NET, flow['actions'],
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
)
result.append(flow)
@@ -379,7 +380,7 @@ def create_conj_flows(port, conj_id, direction, ethertype):
# The matching is redundant as it has been done by
# conjunction(...,2/2) flows and flows can be summarized
# without this.
'reg_port': port.ofport,
agent_consts.PORT_REG_NAME: port.ofport,
}
flow_template = populate_flow_common(direction, flow_template, port)
flows = create_accept_flows(flow_template)

31
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
View File

@@ -14,6 +14,7 @@
from unittest import mock
from neutron_lib.agent.common import constants as agent_consts
from neutron_lib.callbacks import events as callbacks_events
from neutron_lib.callbacks import registry as callbacks_registry
from neutron_lib.callbacks import resources as callbacks_resources
@@ -96,9 +97,9 @@ class TestCreateRegNumbers(base.BaseTestCase):
flow = {'foo': 'bar', 'reg_port': 1, 'reg_net': 2,
'reg_remote_group': 3}
expected_flow = {'foo': 'bar',
f'reg{ovsfw_consts.REG_PORT:d}': 1,
f'reg{ovsfw_consts.REG_NET:d}': 2,
f'reg{ovsfw_consts.REG_REMOTE_GROUP:d}': 3}
f'reg{agent_consts.REG_PORT:d}': 1,
f'reg{agent_consts.REG_NET:d}': 2,
f'reg{agent_consts.REG_REMOTE_GROUP:d}': 3}
ovsfw.create_reg_numbers(flow)
self.assertEqual(expected_flow, flow)
@@ -594,8 +595,8 @@ class TestOVSFirewallDriver(base.BaseTestCase):
def test__add_flow_registers_are_replaced(self):
self.firewall._add_flow(in_port=1, reg_port=1, reg_net=2)
expected_calls = {'in_port': 1,
f'reg{ovsfw_consts.REG_PORT:d}': 1,
f'reg{ovsfw_consts.REG_NET:d}': 2}
f'reg{agent_consts.REG_PORT:d}': 1,
f'reg{agent_consts.REG_NET:d}': 2}
self.mock_bridge.br.add_flow.assert_called_once_with(
**expected_calls)
@@ -789,9 +790,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
'set_field:{:d}->reg{:d},'
'resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.BASE_EGRESS_TABLE)}
expected_calls.append(mock.call(**call_args1))
@@ -805,9 +806,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
'set_field:{:d}->reg{:d},'
'strip_vlan,resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.BASE_INGRESS_TABLE)}
expected_calls.append(mock.call(**call_args2))
@@ -821,9 +822,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
'set_field:{:d}->reg{:d},'
'resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.BASE_INGRESS_TABLE)}
expected_calls.append(mock.call(**call_args2))
@@ -836,9 +837,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
'set_field:{:d}->reg{:d},'
'strip_vlan,resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.BASE_INGRESS_TABLE)}
expected_calls.append(mock.call(**call_args3))
self.mock_bridge.br.add_flow.assert_has_calls(expected_calls)
@@ -1117,9 +1118,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
'set_field:%d->reg%d,'
'resubmit(,%d)' % (
self.fake_ovs_port.ofport,
ovsfw_consts.REG_PORT,
agent_consts.REG_PORT,
TESTING_VLAN_TAG,
ovsfw_consts.REG_NET,
agent_consts.REG_NET,
ovs_consts.ACCEPT_OR_INGRESS_TABLE)
)
calls = self.mock_bridge.br.add_flow.call_args_list

3
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
View File

@@ -14,6 +14,7 @@
from unittest import mock
from neutron_lib.agent.common import constants as agent_consts
from neutron_lib import constants
from neutron_lib.plugins.ml2 import ovs_constants as ovs_consts
@@ -395,7 +396,7 @@ class TestCreateConjFlows(base.BaseTestCase):
flows[0]['actions'])
self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},"
"resubmit(,{:d})".format(
ovsfw_consts.REG_NET, flows[0]['actions'],
agent_consts.REG_NET, flows[0]['actions'],
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
flows[1]['actions'])